3/04/2010 @ 3:40PM

Cybersecurity: Just Get Tough

Talking security with those who know–or even worse, knew very recently and can now talk–is an alarming business. Wednesday I was onstage and talking backstage at the RSA security conference with both former U.S. Homeland Security Michael Chertoff and former National Security Council official Richard Clarke, along with Electronic Privacy Information Center Executive Director Marc Rotenberg. Judging from our conversation, the U.S. is in a frightening place and needs to move fast.

Chertoff, who now heads a group consulting to private industry, said he recently played the role of the president’s national security advisor in a mock cyber conflict. Within 90 minutes of an attack on U.S. critical infrastructure–something he acknowledged has already occurred in small, probing ways–he and other officials were advising the president to call out the troops to secure our country.

Clarke, who now heads a group called Good Harbor Consulting, which specializes in physical security, said that 20 to 30 nations (including our own) now practice cyber warfare, “and yet there is no strategy” for how to carry out war, command or deterrence. What we do have, he said, are cyber bombs and booby traps throughout our electronic networks, in particular our power grid. According to the CIA, he said, Brazil has already suffered a blackout as a result of a criminal extortion scheme.

In his thinking, we are already in a kind of low-level war, losing billions in commercial and defense intelligence and seeing our citizens at risk of attack. “Everyone has been successfully penetrated,” he said. “What no one is talking about is, our technology isn’t coping–our system has failed.”

Rotenberg, for his part, feared most the steps an under-prepared government might take in the panic following an attack. The final refuge of a democracy, the individual’s privacy and the right to suspect the motives and seek redress from his government, could all suffer, he said, as “the collateral damage” of a conflict.

What’s needed? Tough talk and clear thinking. Clarke, who was unafraid of naming names, said it is time to stop letting Russia and China pretend they do not know what the criminal gangs and hackers in their countries are doing, and to punish the countries for not cracking down. Chertoff compared such a move to steps we have taken in controlling international financial fraud, such as money laundering.

One threat to misbehaving countries: delaying their own Internet traffic, for slow inspection, as it crosses into nations that agreed to tougher security.

No one seemed to want the government directly involved in monitoring what is in our critical infrastructure. It is, after all, 85% to 90% owned by the private sector. But Clarke and Rotenberg, sometimes seemingly at odds about the threat, agreed that it would be possible for Internet Service Providers to more closely monitor traffic for virus-carrying malware.

Another important role for the government might be setting standards for devices, even helping create an independent agency where gadgets could be approved as secure. On this front, both
Microsoft’s
Internet Explorer browser and
Apple’s
iPhone came in for criticism.